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ABSTRACT 


CUSTOMER  PERCEPTION  OF  SECURITY 


Large  Increases  in  the  prices  of  petroleum  products  within  the  past  five  years  have 
brought  corresponding  increases  in  the  attractiveness  of  the  theft  of  such  products 
from  unattended  bulk  petroleum  terminals. 

INPUT'S  research  finds  that  state-of-the-art  terminal  automation  systems  employing 
machine-readable  access  cards  have  the  potential  for  deterring  theft  of  product. 
When  access  to  the  load  racks  and  enabling  of  pump  permissives  requires  both  the  use 
of  machine-readable  cards  and  manual  entry  of  a  code,  unauthorized  withdrawal  of 
product  is  directly  traceable  to  an  individual  driver.  However,  enforcement  of 
regulations  to  keep  the  manually  entered  codes  secret  and  separate  from  the  cards  is 
an  administrative  issue,  not  a  systems  issue. 
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I  INTRODUCTION 


A.      PURPOSE  AND  SCOPE 

•  This  report  was  prepared  by  INPUT  as  a  custom  study  for  the  Atlantic 
Richfield  Company. 

•  The  objective  of  the  study  was  to  determine  how  customers  perceive  the 
potential  for  theft,  computer  failure,  and  other  issues  relative  to  the  security 
of  automated  bulk  terminal  systems. 

Rather  than  interviewing  customers  directly,  and  perhaps  engendering 
alarm  among  them,  INPUT  proposed  to  interview  the  top  20  petroleum 
companies,  which  account  for  85%  of  the  dollar  value  of  the  terminal 
market  and  almost  70%  of  the  units  in  operation. 

This  plan  was  subsequently  modified  to  include  vendors  in  the  interview 
sample. 

•  The  scope  of  the  study  is  limited  to  the  administrative  and  procedural  aspects 
of  security  as  supported  by  terminal  automation  systems.  Considerations  of 
system  design  and  implementation  are  not  addressed. 
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RESEARCH  AND  METHODOLOGY 


This  study  began  with  a  planning  meeting  involving  Atlantic  Richfield  staff 
and  INPUT  staff  in  Los  Angeles,  California. 

A  questionnaire  was  developed  by  INPUT  and  approved  by  Atlantic  Richfield 
to  be  used  as  the  basis  for  interviewing  17  operators  and  three  vendors  of 
terminal  automation  systems. 

Originally,  the  timetable  called  for  completion  of  the  study  within  five  to  six 
weeks  after  it  had  begun. 

However,  the  timetable  was  extended  when  it  became  apparent  that  the 
sensitive  nature  of  the  topic  resulted  in  a  disproportionately  high 
number  of  mail  questionnaires. 

Normally,  INPUT'S  experience  has  been  that  only  10-15%  of 
interviewees  would  request  a  chance  to  review  the  questionnaire 
before  responding. 

For  this  study,  85-90%  of  the  individuals  asked  to  see  the 
questionnaire  before  committing  to  an  interview,  and  more  than 
half  indicated  that  they  had  obtained  prior  clearance  from  their 
respective  legal  departments. 

Of  the  15  interviews  completed,  three  were  conducted  by  telephone  and 
two  were  on-site.  The  balance  were  filled  out  by  respondents  and 
returned  to  INPUT. 

INPUT  staff  maintained  frequent  telephone  contact  with  Atlantic  Richfield  to 
keep  Atlantic  Richfield  apprised  of  the  status  of  the  interview  phase. 
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•  With  the  concurrence  of. Atlantic  Richfield,  INPUT  terminated  the  interview 
phase  of  this  study  after  15  interviews  had  been  obtained. 

Although  the  intent  was  to  interview  20  organizations,  INPUT  found 
that  the  universe  of  potential  interviewees  had  shrunk  due  to  acquisi- 
tions and  because  some  vendors  have  dropped  out  of  the  business. 

•  The  participants  identified  in  Exhibit  I-l  nevertheless  represent  a  significant 
portion  of  the  total  universe.  Further  attempts  to  complete  the  full  schedule 
of  twenty  interviews  were  cancelled  with  the  concurrence  of  Atlantic 
Richfield. 

•  Three  organizations  that  were  contacted  declined  to  participate,  for  the 
reasons  given  below. 

Marathon  Oil;  Marathon  felt  that  participation  would  entail  the 
disclosure  of  proprietary  information. 

Standard  Oil  of  California;  SOCAL  stated  that  it  has  barely  begun  to 
automate  its  bulk  terminals,  and  would  therefore  be  unable  to  con- 
tribute any  meaningful  information  to  the  study. 

Gulf  Oil;  Gulf  did  not  specify  any  reason  for  declining  to  participate. 
The  fact  that  Gulf  owns  General  Atomic  may  have  a  bearing  on  Gulf's 
refusal. 

•  Seven  organizations  that  were  contacted  either  did  not  respond  to  repeated 
contact  attempts,  or  else  indicated  an  interest  in  participating  but  could  not 
fill  out  and  return  the  questionnaires  within  the  available  time  period. 

America  Petrofina. 

Colonial  Oil. 
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EXHIBIT  I- 1 


PARTICIPATING  ORGANIZATIONS 


Operators. 

>.     .  . 

AMOCO.  -  Mobil. 

BP  Oil.  -         Murphy  Oil. 

CONOCO.  -  Phillips. 

Crown  Central.  -         Shell  Oil. 

Exxon.  -  TOSCO. 

Getty.  -         Triangle  Refineries. 

Kerr-McGee  Refining. 
Vendors. 

General  Atomic. 
Petrodata. 
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Ashland  Oil. 

Standard  Oil  of  Ohio  (Gibbs  Oil). 
Amerada  Hess. 

Engineered  Systems,  Inc.  (ESI)  (vendor). 
Time  Oil. 

Results  of  the  primary  interviews  obtained  were  verified  by  supplementary 
interviews  with  industry  knowledgeable  sources. 

Results  have  been  aggregated  and  shuffled  in  such  a  way  as  to  preserve 
anonymity  and  confidentiality  of  sources.  In  particular,  it  should  be  noted  that 
respondents  referred  to  as  A,  B,  C,  etc.,  are  shuffled  from  one  exhibit  to  the 
next. 

All  conclusions  should  be  construed  to  be  the  best  opinion  of  INPUT,  based  on 
the  cumulative  effect  of  the  data  and  analysis  described  above. 
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SUMMARY   OF  FINDINGS 


SUMMARY  OF  FINDINGS 


The  most  prevalent  method  employed  to  control  access  to  automated  bulk 
terminals  is  through  the  use  of  card-activated  gates  and  load  racks.  This 
method  is  employed  by  80%  of  the  respondents.  Supplementary  methods 
employed,  and  the  percentages  of  respondents  indicating  their  use,  are: 

Locked  gate  -  67%. 

Requiring  the  driver  to  pick  up  the  bill  of  lading  away  from  the  load 
rack  -  60%. 

This  procedure  is  a  safety  measure  as  well  as  a  security  measure. 
Some  printers  are  not  explosion  proof,  and  must  be  located  some 
distance  from  the  pumps. 

Requiring  the  driver  to  check  in  with  the  terminal  shed  staff  before 
(47%)  or  after  (40%)  loading. 

Punched  plastic  access  cards  are  the  most  prevalent  physical  card  type  used 
(80%). 

Color  coded  cards  are  used  by  4096  of  the  respondents.  Color  coding  is 
used  to  aid  the  driver  in  distinguishing  among  card  types. 
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Cards  with  magnetic  stripes  and  magnetically  embedded  cards  are  each 
used  by  23%  of  the  respondents. 

•  Multiple  card  systems  are  most  common,  with  53?^  of  respondents  Indicating 
use  of  a  two-card  system  exclusively  and  another  20%  using  two-  or  three-card 
systems  In  some  of  their  terminals. 

•  Punched  plastic  access  cards  are  produced  either  at  the  terminal  shed  or  away 
from  the  terminal,  while  magnetic  cards  are  never  made  at  the  terminal. 

The  equipment  required  to  encode  information  on  a  magnetic  stripe  or 
In  a  magnetically  embedded  card  is  fairly  expensive  as  compared  to 
card  punches.  Therefore,  the  cards  using  magnetic  stripes  or  magnetic 
embedding  are  made  either  at  respondents'  headquarters  (or  other 
locations)  or  at  a  card  vendor's  facility. 

•  The  strengths  of  punched  plastic  cards  are  viewed  as  follows: 

They  are  easy  to  create,  easy  to  work  with,  easy  to  encode. 
Better  card  control  is  possible  at  the  the  local  site. 
They  are  rugged  and  reliable. 

•  Punched  plastic  cards  are  deemed  to  have  the  following  weaknesses: 

They  are  easily  duplicated. 

They  are  susceptible  to  damage  and  distortion. 

They  are  not  controlled  from  a  central  location. 

Adjustment  of  loading  privileges  can  be  a  problem  when  re-issuing 
cards. 
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Respondents  feel  that  cards  with  magnetic  striping  possess  the  following 
strengths: 

They  cannot  be  easily  duplicated. 

They  are  easy  to  control. 

They  are  very  stable  and  reliable. 

They  are  secure. 

They  are  directly  traceable  to  a  driver. 

Weaknesses  specified  for  magnetically  striped  cards  are: 

They  are  not  impossible  to  duplicate,  and  have  in  some  cases  been 
easily  duplicated. 

They  are  more  costly  to  make  than  punched  cards,  and  are  not  readily 
available. 

They  are  subject  to  breakage,  demagnetization,  and  degradation. 

Few  respondents  could  comment  on  magnetically  embedded  cards,  as 
experience  with  these  cards  is  limited.  Those  that  offered  comments 
described  their  strengths  as  the  relative  difficulty  of  duplication.  A  weakness 
is  that  they  are  subject  to  degradation. 

Respondents  generally  avoided  comment  on  how  their  customers  felt  with 
respect  to  strengths  and  weaknesses  of  the  various  types  of  cards,  but  some 
stated  that  the  customers  must  not  object  too  strongly  because  they  accept 
what  they  are  given. 
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Identification  information  most  commonly  embedded  in  tiie  cards  include  the  ' 
driver  ID  (87%),  carrier  ID  (80%)  and  customer  ID  (80%).  ' 

Besides  the  use  of  the  cards,  access  is  also  controlled  by  requiring  the 

driver  to  enter  a  personal  identification  number  (PIN)  in  47%  of  the  j 

cases.  j 

I 

Terminal  automation  systems  verify  the  validity  of  all  information  recorded  on  | 
the  cards  as  well  as  any  information  that  must  be  entered  separately  by  the 

driver.                             '  \ 

Additionally,  the  systems  can  check  the  following  information  against  data 
previously  stored  in  the  computer's  files. 

Type  of  product  dispensed  1 00% 

Volume  of  product  dispensed  93% 

The  customer's  allocation  limits  80% 

Time  of  day  or  day  of  the  week  67% 

With  the  possible  exception  of  magnetically  embedded  cards,  systems 
currently  installed  cannot  detect  a  counterfeit  which  is  an  exact  duplicate  of  a 
valid  card. 

However,  encrypting  algorithms  are  used  to  produce  the  codes  that  are 
recorded  on  the  cards.  When  the  cards  are  used,  complementary 
decrypting  algorithms  are  used  to  convert  the  data  into  a  form  that  can 
be  checked  against  a  master  file. 

Without  access  to  the  encrypting  algorithm,  a  counterfeiter 
cannot  create  a  fictitious  account  number. 


-  10  - 


INPU 


A  respondent  (vendor)  who  uses  magnetically  embedded  cards  stated 
that  the  system's  ability  to  detect  counterfeits  is  proprietary 
information.  INPUT  concludes  that  this  technology  very  likely  makes 
counterfeit  detection  easier. 

The  problem  of  preventing  fictitious  account  numbers  is  not  as  serious  as 
detecting  duplicate  or  invalid  use  of  true  account  numbers.  However, 
prevention  techniques  for  the  latter  situation , are  primarily  administrative 
rather  than  technological. 

Regardless  of  the  card  type  used,  it  is  widely  held  among  respondents  that  the 
use  of  a  Personal  Identification  Number  (PIN)  in  conjunction  with  cards  is  a 
significant  benefit  to  security.  This  is  undoubtedly  affected  by  respondents' 
perception  that  the  most  prevalent  pattern  of  actual  or  attempted  theft  of 
petroleum  product  is  an  "inside  job,"  or  at  least  involves  someone  with  specific 
knowledge  of  the  system. 

While  access  cards  may  be  lost  or  stolen,  the  PIN  cannot  be  conveyed 
inadvertently,  unless  the  drivers  thwart  the  purpose  of  a  PIN  by  writing 
the  PIN  on  the  cards. 

Countering  this  procedure  violation  is  an  administrative  problem. 
Terminal  automation  systems  cannot  prevent  such  violations. 

In  any  case,  actual  or  attempted  theft  may  be  directly  traceable  to  an 
individual  driver  when  a  PIN  is  used.  INPUT  recommends  that  legal 
counsel  be  sought  before  attributing  liability  for  such  occurrences. 

Most  activity  summary  reports  produced  by  the  terminal  automation  systems 
are  reviewed  daily  by  the  terminal  managers  and/or  members  of  their  staffs. 
Daily  reviews  insure  that  unusual  activity  does  not  go  undetected  for  more 
than  24  hours. 


•  All  respondents  stated  that  contractual  arrangennents  with  their  custonners 
make  the  custonner  liable  for  all  product  withdrawn  through  use  of  cards  issued 
to  the  customer  until  two  conditions  are  met:  first,  the  customer  must  notify 
the  operator  that  a  card  has  been  lost  or  stolen,  and  second,  the  operator  must 
lock  that  card  out  of  the  system. 

it  is  felt  that  this  contractual  liability  is  sufficient  incentive  to  make 
the  customer  insure  that  cards  issued  to  him  or  his  agents  are  not  used 
fraudulently. 

Over  and  above  this  contractual  liability,  some  respondents  require: 
Posting  of  an  indemnity  bond. 
Proof  of  insurance. 

Written  authorization  from  the  customer  the  first  time  a  driver 
uses  a  card. 

Individual  keystop  agreements  signed  by  each  driver. 
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ANALYSIS   OF  RESPONSES 


Ill        ANALYSIS  OF  RESPONSES 


A.       DISTRIBUTION  OF  AUTOMATED  TERMINALS 


Exhibit  Hi- 1  shows  the  distribution  of  respondents'  automated  terminals,  which 
account  for  approximately  21%  of  the  estimated  1,900  bulk  terminals  in  the 
U.S. 

Ninety-six  percent  of  respondents'  automated  terminals  are  activated 
by  cardlock  systems. 

Respondents  who  were  unwilling  or  unable  to  indicate  how  their 
cardlock  activated  systems  are  distributed  in  terms  of  refinery  versus 
non-refinery  locations  stated  that  the  vast  majority  of  their  systems 
are  at  non-refinery  locations. 

INPUT  estimates  that  well  over  90%  of  automated  bulk  terminals  are  at 
non-refinery  locations,  and  that  a  similar  proportion  of  the  systems 
planned  for  installation  within  the  next  two  years  are  also  at  non- 
refinery  locations. 

Sixty-three  of  the  161  systems  installations  planned  are  upgrades  of 
existing  cardlock  and/or  keylock  systems  that  are  considered  to  be 
obsolete. 
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EXHIBIT  III-I 


AUTOMATED  TERMINALS  INSTALLED  AND  PLANNED 


OPERATORS 


VENDORS 


INSTALLED    PLANNED    INSTALLED  PLANNED 


Cardlock  Systems 
Refinery  Locations 
Non-Refinery  Locations 
Not  Specified 

Subtotals 

Keylock  Systems 
Refinery  Locations 
Non-Refinery  Locations 

Subtotals 


9 

276 
100 
385 

0 


o 


61 
61 


30 
282 

312 


1 50-250 
1 50-250 


Totals 


40 


312 


1 50-250 
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There  is  a  45%  overlap  of  installed  cardlock  systems  as  reported  by 
operators  and  by  vendors. 

B.       USER  SATSSF ACTION 

•  Operators  of  terminal  automation  systems  were  asked  to  rate  their  systems  in 
terms  of  reliability,  accuracy,  and  security.  Average  ratings  are  shown  in 
Exhibit  III-2. 

•  As  might  be  expected,  operators  who  have  designed  and  implemented  their 
own  terminal  automation  systems  gave  these  systems  the  highest  possible 
ratings  for  overall  performance,  reliability,  accuracy,  and  security. 

•  Observations  offered  by  respondents  with  respect  to  specific  vendor  systems 
are  as  follows: 

ESI; 

"ESI  system  works  well;  however,  it  is  now  obsolete." 

"ESI  systems  were  never  completely  debugged;  there  was  con- 
siderable misinformation  during  the  start-up  phase." 

General  Atomic: 

"General  Atomic's  field  and  telephone  response  to  our  calls  is 
consistently  prompt  and  thorough." 

"General  Atomic's  response  is  good." 

"Some  bugs  have  been  identified  in  the  General  Atomic  system, 
which  presently  accounts  for  the  three  ranking  for  security,  but 
General  Atomic  is  working  to  fix  these  bugs." 
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Sun  Information  Services; 

"Sun  system  has  been  bad  —  reliability  is  horrible  —  personnel 
don't  respond  to  problems." 

Others: 

"(We)  can  add  a  lot  of  security  with  keypad  input." 

"Rockwell  and  Veeder-Root  systems  are  now  obsolete,  therefore, 
rating  is  meaningless." 

C.       TERMINAL  ACCESS  CONTROL 
I.  PROCEDURES 

•  Methods  used  by  respondents  to  control  access  to  terminals  are  shown  in 
Exhibit  III-3. 

•  Respondent  "L"  on  this  exhibit  interpreted  literally  the  question  as  to  how 
access  is  restricted.  His  systems  actually  employ  card-activated  gates  and 
load  racks. 

•  Requiring  the  drivers  to  check  in  before  or  after  loading  is  an  added  security 
measure  used  by  some  operators. 

•  Requiring  the  driver  to  pick  up  the  bill  of  lading  away  from  the  load  rack 
(usually  at  the  terminal  shed)  is  a  safety  measure  as  well  as  a  security 
measure.  Printers  and  other  pieces  of  electrical  equipment  that  are  not 
explosion-proof  must  be  located  away  from  the  load  racks. 


-  17  - 


INPUT 


CO 

O 


CO 

O 
C 

> 


N 


X 


XX  X 


X   X    X    X  X 


X 


X 


X  X 


V) 

-o 

D 

o 

<D 

E 
o 

+- 

V) 

o 

k. 

o 
E 


H 
CD 

X 
X 

liJ 


to 
-J 
< 

z 

i 

a: 

ill 

H 

O 
I- 

to 
to 

LLI 

u 

< 


o 


o 

o 


X 


X 


(A 


o 

Cl 
O 


(J 


LU 


CD 


X  X 


X 


X  X 


X 


X  X 


X 


X  X 


X  X 


X 


X 


X   X    X  X 


X 


X   X    X  X 


X 


X    X   X   X    X  X 


X 


XX        X   X  0  X  X 


X  X 


X   X    X  X 


X 


+- 

o 

o 

-o 

4-  O 

> 


£  (S  o 

I  "S  ^  < 

>  8 

I-  _I 


0) 

c 
c 
o 


u 

D 

cr 

o 
o 


-D 

O 

> 

4- 

u 

< 

D 


CD 
_C 

D 
O 


cn 

o 
o 


u 
a; 


O 
o 


U   U   U  U 


O  XI 

-  E 
~  o 

o 

< 

Q_ 


Vi 

X 

o 


0) 
+- 

1- 

<D 
U) 
D 
C 

o 
E 

"o 
c 


(D 


C 


> 

X 

c 


a; 
c 
o 

CO 

_D 

CL 
X 

o 
o 

> 

\- 

X 

00 

E  ^ 

i-  X 


0) 


u 

■t— 

c 


X 
O 
Q. 


D 
+- 

D 

E 

0) 

> 


<  Q 


•t— 

D 
U) 

X 

CJ 

c 
c 

D 


CO 

D 

u 


C 


> 

o 

C 

o 
o 


Q. 

a; 
o 

CO 

X 
u. 
O 

o  ^ 
E  E 

P  w 
X 


X 

0) 

c 

D 
+- 

0) 

J3 


O 
O 


—     CVI  CO 


-  18  - 


INPU 


The  most  prevalent  access  procedures  for  automated  bulk  terminal  systems 
involve  the  use  of  two  punched  plastic  cards  identifying  the  driver,  the  carrier, 
and  the  customer,  as  shown  in  Exhibits  II 1-4  and  II 1-5. 

Vehicle  ID  is  used  only  when  the  operator  of  the  terminals  also  operates  the 
carrier  fleet. 

PERCEPTIONS  OF  VARIOUS  CARD  TYPES;  CONTROL  OF 
CARD  CREATION 

Exhibits  1 1 1-6  and  1 1 1-7  show  how  respondents  control  where  and  when  cards  are 
made,  and  by  whom. 

Punched  plastic  cards  are  generally  viewed  as  convenient  and  much  more 
secure  than  keylocks,  since  information  can  be  punched  into  the  cards  that 
identifies  the  using  driver. 

Cards  are  sometimes  created  right  at  the  terminal  by  the  terminal 
manager,  which  is  a  convenience  for  the  customer  but  by  the  same 
token  is  a  security  loophole.  - 

Card  creation  at  the  terminal,  if  done  with  stand-alone 
automation  systems,  does  not  permit  central  control. 

To  thwart  counterfeiting,  some  systems  employ  an  encrypting  algorithm 
that  scrambles  the  various  identification  codes  punched  into  the  cards. 
When  the  cards  are  used,  a  complementary  decrypting  algorithm 
decodes  the  information  which  is  then  utilized  in  table  look-ups  to 
perform  various  systems  checks. 

Such  cards  can  be  duplicated,  but  improper  use  of  a  duplicate 
card  can  be  traced  to  the  driver. 
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The  encrypting  algorithnns  substantially  increase  the  difficulty 
of  creating  fictitious  account  nunnbers. 

•  Magnetic  stripes  are  generally  perceived  to  be  more  secure  than  punched 
plastic  cards. 

However,  making  a  duplicate  of  a  punched  plastic  card  requires  the  use 
of  a  punch  machine  that  costs  a  few  hundred  dollars,  whereas  a  card 
with  a  magnetic  stripe  has  sometimes  been  duplicated  with  a  common 
home  f  latiron. 

Cards  with  magnetic  stripes  seem  more  susceptible  to  wear  and  tear 
than  punched  plastic  cards. 

Magnetic  striping  requires  the  use  of  a  fairly  expensive  machine,  and 
therefore  such  cards  tend  to  be  produced  away  from  the  terminal. 

Vendors  of  magnetically  striped  cards  assess  a  set-up  charge  (one 
respondent  quoted  $35  per  set-up)  and,  therefore,  cards  tend  to  be 
produced  in  batches  rather  than  individually. 

•  Respondents  generally  recognize  the  superiority  of  magnetically  embedded 
cards  over  punched  and  magnetically  striped  cards,  but  few  have  actual 
experience  with  such  cards. 

Since  bits  of  magnetic  material  are  embedded  in  the  plastic,  it 
obviously  involves  a  higher  cost  fabrication  process  but  also  is  much 
more  difficult  to  duplicate. 

D.       ACCESS  AUTHORIZATION 

•  Exhibits  III-8  and  III-9  shows  how  respondents'  terminal  automation  systems 
validate  information  entered  electronically  and/or  manually  prior  to  enabling 
pump  permissives. 
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•  The  use  of  a  "password"  code  in  conjunction  with  another  method,  sinniiar  to 
the  procedures  employed  when  using  bank  automated  teller  machines,  is 
recognized  to  increase  security  significantly. 

A  card  may  be  lost  or  stolen,  but  the  PIN  (personal  identification 
number  that  must  be  entered  via  thumbwheels  or  a  keypad)  cannot  be 
acquired  by  a  thief  unless  he  has  colluded  with  a  driver. 

Unfortunately,  some  drivers  write  the  PINs  right  on  the  cards.  Thus, 
security  measures  can  be  frustrated  by  the  failure  to  follow  through 
with  enforcement  of  procedures.  This  is  a  management  and  admini- 
strative problem. 

•  Respondents  could  offer  little  insight  into  what  their  customers  felt  relative 
to  the  strengths  and  weaknesses  of  each  access  method.  One  said  that 
customers  take  what  they  are  given,  and  two  surmised  that  customers  must 
like  the  methods  used  because  they  haven't  complained. 

E.       PERCEPTIONS  OF  TEMPORARY  ACCESS  CARDS 

•  Six  respondents  do  not  use  temporary  access  cards  at  all;  the  reason  given  is 
that  such  cards  are  an  unnecessary  security  risk.  The  type  of  access  card  does 
not  seem  to  have  any  bearing  on  the  non-use  of  temporary  access  cards  (three 
use  punched  cards  only,  two  use  both  punched  cards  and  cards  with  magnetic 
striping,  and  one  uses  cards  with  magnetic  striping). 

•  Temporary  access  cards  are  issued  by  five  respondents  to  terminal  managers 
only  for  their  own  use  or  to  enable  terminal  staff  to  access  the  load  racks  for 
maintenance  purposes. 
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•  One  operator  issues  a  "one  shot  use"  card  to  a  new  customer  so  that  the 
customer  can  withdraw  product  before  his  cards  are  issued. 

•  One  respondent  specified  a  house  card,  probably  for  use  by  drivers  who  are 
employed  by  the  operator. 

F.       CUSTOMER  CARD  CONTROL  RESPONSIBILITIES 

•  All  respondent  operators  require  their  customers  to  sign  a  written  agreement 
under  which  they  agree  to  be  liable  for  all  product  withdrawn  using  the  cords 
issued  to  them,  until  two  conditions  are  met: 

The  customer  must  notify  the  operator  that  a  card  (or  cards)  has/have 
been  lost  or  stolen,  and; 

The  operator  locks  out  the  card(s)  from  the  system  by  flagging  it  (them) 
as  no  longer  valid. 

•  Four  respondents  have  additional  card  control  requirements: 

One  requires  the  customer  to  post  an  indemnity  bond. 
Another  requires  proof  of  liability  insurance. 

A  third  has  a  blanket  agreement  for  the  customer  and  individual 
keystop  agreements  that  must  be  signed  by  individual  drivers. 

A  fourth  requires  the  drivers  to  turn  in  written  authorization  from  the 
customer  to  use  the  card  the  first  time  the  driver  goes  to  the  terminal. 

•  All  respondents  felt  that  the  fact  that  the  customer  is  100%  liable  for  all 
product  withdrawn  until  notification  and  lockout  is  complete  provides  a 
powerful  incentive  for  the  customer  to  be  on  guard  against  fraudulent  use  of 
the  cards  issued  to  him  or  his  personnel. 
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•  The  terminal  automation  systems  reported  on  authorize  access  only  after  the 
information  entered  via  the  access  cards  (plus  any  supplemental  information 
entered  as  part  of  the  procedure)  has  been  validated  by  the  system. 
Additionally,  blanket  customer  information  —  allocation  limits,  type  of 
product  —  is  used  to  control  the  pump  permissives. 

•  Although  most  respondents  indicate  that  they  have  the  capability  to  lock  out  a 
customer's  cards  on  a  selective  basis  (such  as  between  the  hours  of  I  I  p.m. 
and  5  a.m.,  or  on  Saturdays,  Sundays  and  holidays)  it  seems  debatable  whether 
customers  actually  avail  themselves  of  this  feature. 

G.       SUMMARY  REPORT  REVIEW 

•  Most  summary  reports  produced  by  the  terminal  automation  systems  are 
reviewed  on  a  daily  basis  by  respondents,  as  shown  in  Exhibit  ill-IO. 

While  daily  reviews  of  such  reports  may  not  enable  an  operator  to  stop 
an  attempted  theft  in  progress,  they  at  least  provide  clues  of  unusual 
activity. 

From  a  security  standpoint,  such  reviews  are  effective  if  they  mean 
that  thefts  cannot  remain  undetected  for  more  than  24  hours. 

Their  effectiveness  can  be  further  heightened  by  aggressive 
publication  of  the  fact  that  daily  reviews  no  longer  make  it 
possible  for  thefts  to  escape  detection  for  long  periods  of  time. 
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H.       SYSTEM  BYPASS 


•  Exhibit  ili-l  I  presents  operators'  responses  to  questions  regarding  the  bypass 
of  automation  systems. 

•  Automation  system  bypass  is  allowed  only  when  a  malfunction  of  some  sort 
occurs,  or  when  preventive  or  emergency  maintenance  is  performed. 

•  System  bypass  can  be  legitimately  activated  only  by  a  person  in  a  management 
position.  While  the  system  bypass  is  in  effect,  this  person  is  responsible  and 
accountable  for  everything  that  happens  at  the  terminal. 

•  Generally,  systems  characterized  by  respondents  as  being  obsolete  are  unable 
to  monitor  activity  while  the  bypass  is  in  effect. 

i,        THEFT  EXPERIENCE 

•  The  most  prevalent  pattern  detected  in  actual  or  attempted  thefts  from 
respondents'  or  others'  terminals  was  that  of  an  inside  job. 

Comments: 

"At  least  one  theft  was  an  inside  job:  a  contract  carrier  who  was 
very  familiar  with  the  old  system.  We  knew  there  was  product 
missing  but  couldn't  say  why  because  he  took  the  relevant 
documentation  with  him." 

"Inside  must  help  outside  to  get  into  the  cookie  jar." 
"Carriers  often  become  the  focal  point  in  investigations." 
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EXHIBIT  III-I I 


SYSTEM  BYPASS 

Why. 

Malfunction. 

Maintenance. 

Acts  of  God  (fire,  etc.) . 
By  whom. 

Terminal  manager. 

Company  management. 

Alternate  or  designee. 
Ability  to  monitor  while  bypass  is  in  effect. 

Yes      I  I 

No  4 
Liability. 

Terminal  manager  100% 
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•  Geographic  patterns  identified  were  large  metropolitan  areas  on  the  East  and 
West  Coasts. 

One  respondent  cited  Boston,  New  York,  and  Philadelphia  as  the  places 
more  likely  to  sustain  actual  or  attempted  theft.  He  speculates  that 
the  unions  in  these  East  Coast  cities  are  older  and  more  solidly 
entrenched  than  elsewhere,  and  that  their  long  history  of  antagonism 
toward  corporate  employers  has  led  to  a  mindset  which  holds  that  union 
members  have  less  of  an  obligation  to  their  employers  than  employers 
do  to  employees.  He  also  thinks  that  in  these  areas  people  tend  to  think 
that  stealing  from  a  multi-billion  dollar  corporation  is  not  immoral, 
even  though  it  involves  breaking  the  law;  he  likened  this  perception  to 
habitually  exceeding  the  speed  limit:  it  is  perceived  to  be  wrong  only  if 
one  gets  caught. 

•  Exhibits  ilI-12  and  111-13  show  respondents'  acquaintance  with  actual  and 
attempted  theft  of  product,  from  their  own  and  others'  terminals, 
respectively. 

J.       FUTURE  ANTI-FRAUD  ACTIONS 

•  Respondents  are  actively  exploring  a  number  of  possibilities  for  improving 
security.  These  are  shown  in  Exhibit  111-14  and  111-15. 

•  One  solution  being  sought,  which  INPUT  feels  to  be  deserving  of  priority  R&D 
funding,  is  an  electronic  —  rather  than  an  electromechanical  —  pulser  or  flow 
meter.  Current  technologies  being  employed  can  be  disabled  relatively  easily 
with  a  screwdriver  or  a  small  magnet. 
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EXHIBIT  m-12 


THEFT  EXPERIENCE  -  OWN  TERMINALS 


Distribution. 

None  6 

"No  connment"  2 

Yes  7 
Patterns  of  theft  perceived. 

inside  job  (known  or  suspected) 

Time:  Long  holiday  weekend,  night 

Place:  Large  metropolitan  areas 

"Boston,  New  York,  and  Philadelphia  are  the  worst. 
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EXHIBIT  111-13 
THEFT  -  OTHERS'  TERMINALS 

•  Distribution. 

No  knowledge  4 


•         Patterns  of  theft  perceived. 

No  particular  pattern  4 

Inside  job  (known  or  suspected)  5 

Time:  Long  holiday  weekend  2 

Place:  Large  nnetropolitan  areas  4 
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EXHIBIT  111-14 
SPECIFIC  ANTI-FRAUD  ACTIONS  CONTEMPLATED 

•  Positive  driver  identification. 

Cameras  at  all  gates. 

Possible  use  of  social  security  number. 

Some  form  of  video  tracking. 

•  Procedural. 

Twice  a  month,  on  a  random  time  basis  -  lock  out  all  cards  to  force 
manual  checking  at  gate. 

•  Access  card  related. 

Convert  to  two-card  system. 

Use  cards  that  cannot  be  duplicated. 

Convert  to  magnetically  encoded  cards. 
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EXHIBIT  111-15 

SPECIFIC  AhJTI-FRAUD  ACTIONS  CONTEMPLATED  -  (continued) 

•         System  enhancements. 

Bring  every  terminal  up  to  the  same  engineering  specification  level. 

Redundancy  to  protect  against  complete  loss  of  data. 

More  detailed  logging  of  rack  activity  accessible  via  CRT  or  printer 
readout. 

Software  adjustment  of  meter. 
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K.       OPERATOR  EXPECTATIONS  OF  SYSTEM  VENDORS 


INPUT  asked  the  operators  to  identify  their  most  pressing  systenns  concerns  by 
requesting  them  to  state  what  advice  they  would  give  systems  vendors.  The 
responses  are  shown  in  Exhibit  111-16. 

Operators  are  not  fully  satisfied  with  off-the-shelf  solutions,  but  expect 
more  customization  in  the  future. 

Customer  support  in  terms  of  good  and  fast  response  to  problems  is 
essential. 

Better,  more  positive  ways  of  identifying  a  thief  is  a  priority  concern. 


L.       CONCLUSIONS  AND  RECOMMENDATIONS 


•  Exhibit  111-17  presents  the  conclusions  that  INPUT  has  reached  based  on  its 
analysis  of  the  survey  responses. 

•  INPUT  believes  that  operators  must  follow  through  with  procedural  standards 
necessary  to  enforce  security. 

•  The  mere  existence  of  security  measures  will  not  deter  theft  unless  the 
information  that  a  thief's  connection  with  an  insider  can  be  swiftly  identified 
is  aggressively  publicized. 

•  One  other  technique  that  immediately  suggests  Itself  Is  frequent  changing  of  a 
portion  of  the  PIN  number,  much  as  passwords  for  Interactive  systems  are 
changed  frequently. 

This  would  increase  the  difficulty  of  attempts  to  crack  codes  by  brute 
force. 
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_    EXHIBIT  111-16 
ADVICE  FOR  TERMINAL  AUTOMATION  SYSTEMS  VENDORS 

•  Know  your  customer,  take  care  of  him. 

Spend  more  time  to  learn  customers'  unique  needs. 
New  systems  need  to  be  custom  made. 

Administrative  control  of  computer  system  should  be  discussed 
thoroughly  with  customer. 

•  System  considerations. 

Improve  reliability. 
More  redundancy. 

Electronic. 

Electromechanical. 
Insure  against  data  loss. 
Provide  good/fast  response  capability. 

•  Driver  identification. 

Absolutely  identify  driver  (fingerprint,  voiceprint,  etc.). 
Use  methods  that  will  stand  up  in  court. 
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EXHIBIT  111-17 
CONCLUSIONS 

Access  Method  Considerations 

•  Driver  identification:  a  key  elennent. 

•  Punched  plastic  and  magnetically  striped  cards:    a  significant  improvement 
over  keylock  systems. 

Duplicates  can  be  traced. 

Fictitious  accounts  are  difficult  to  create. 

•  Magnetically  encoded  cards  increase  the  cost  of  duplicating. 
Administrative  Considerations 

•  Systems  checks  and  verifications  identify  the  driver  adequately. 

•  Daily  reviews  of  summary  reports  are  effective  in  detecting  unusual  activity. 

•  Deterrence  of  theft.  . 

A  management  issue,  not  a  systems  issue. 

•  Publicize  system's  ability  to  identify  the  individual  user. 

•  Activity  of  pursuit  will  be  perceived  as  evidence  of  heightened  risk. 
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APPENDIX    A:  QUESTIONNAIRE 


! 

i 

i 

f 

i 
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CATALOG  NQ.IYIAiBITI  I 


AUTOMATED  BULK  TERMINAL  STUDY 


USER/VENDOR  QUESTIONNAIRE 


GENERAL 

How  many  bulk  terminals/terminal  automation  systems  do  you  presently  operate/have 
installed? 


How  many  do  you  plan  to  build/install  over  the  next  two  years? 


Of  the  number  installed,  how  many  are: 


At  A  Refinery 

Location  Not  At  A  Refinery 


Automated 
Key  Lock 
Card  Lock 

(USERS  ONLY) 

Not  Automated 


(IF  NO  AUTOMATED  TERMINALS  INSTALLED,  SKIP  TO  QUESTION  20.) 
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CATALOG  NO.  Y  A  BT 


(USERS  ONLY) 

2a.      Who  is/are  the  vendor(s)  of  your  automation  systems?  On  a  scale  of  I  to 
5,  where  I  =  Totally  dissatisfied  and  5  =  Completely  satisfied,  how  would 
you  rank  your  level  of  satisfaction  with  the  automation  system(s)? 


No.  Of 

Locations 


Vendors 


Relia- 

Overall       bility    Accuracy  Security 


Amoco/IBM  (Petrodata) 
ESI 

General  Atomic 
Motorola 
Rockwell 
A.O.  Smith 

Sun  Information  Services 
Other 


Observations: 
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CATALOG  NO.  lYlAlRlT 


(USERS  ONLY) 

2b.      In  terms  of  overall  security,  how  would  you  rank  the  above  on  a  scale  of 
=  not  secure  to  5  =  Very  secure? 


Vendor 


Rank 


Amoco/IBM  (Petrodata) 
ESI 

General  Atomic 
Motorola 
Rockwell 
A.O.  Smith 

Sun  Information  Services 
Other 


Observations: 


H.  SECURITY 

We  would  like  to  explore  specific  aspects  of  security.  We  will  be  discussing  the  follow 
in  the  context  of  security. 

•  Access  to  the  terminal. 

•  Driver  procedures. 

•  Card  control. 
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A.       Access  To  The  Terminal  - 

3.        How  is  access  to,  end/or  exit  from,  the  terminal  and  the  load  racks  restricted? 
(Check  all  that  apply.) 


TV  monitor. 

Locked  gate. 

Manned  gate. 

Card-activated  gate. 

Card-activated  load  rack. 

Check  in  at  terminal  shed  before  loading. 

Check  out  at  terminal  shed  after  loading. 

Pick  up  bill  of  lading  at  a  location  away  from  the  load  rack. 

Other 


Observations: 


B. 


Driver  Procedures 


4,        Do  you  use  a  single  or  multiple  card  system? 


(   )  Single      (    )  Multiple 


If  multiple,  how  many  cards  are  used? 


5.        What  type(s)  of  cards  are  used? 
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CATALOG  NO.  lYIAIBit 


a.  Physical 


Punched  plastic  card. 

Card  with  magnetic  striping. 

Magnetically  encoded  card. 

Color  coded  card. 

Other 


Logical 


Carrier  ID 
Driver  ID 
Vehicle  ID 
Custonner  ID 
Other 


Additional  Procedures 


In  conjunction  with  the  use  of  the  cards,  does  your  system  use: 


Identification  codes  (i.e.,  PIN  number) 
Keylocks. 

Pre-dispatch  of  invoices. 

Independent  methods  of  identifying  driver  and  truck. 
Other 
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CATALOG  NO.  lYlAlBlTl 


Please  describe  what  you  feel  are  the  strengths  and  weaknesses  of  each  of 
the  following  methods  of  controlling  access  to  the  terminal. 

Punched  plastic  access  card  


Access  card  with  magnetic  striping 


Magnetically  encoded  access  card 


Keylock 


Use  of  a  code  in  conjunction  with  another  method 


Use  of  a  code  by  itself 
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CATALOG  NO.  lYIAIBIT 


What  do  you  think  your  customers  see  as  the  strengths  and  weaknesses  of 
these  nnethods? 

Punched  plastic  access  card  ^_  


Access  card  with  magnetic  striping 


Magnetically  encoded  access  card 


Keylock 


Use  of  a  code  in  conjunction  with  another  method 


Use  of  a  code  by  itself 
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CATALOG  NO.  IYIAIBUT 


How  susceptible  do  you  think  is  each  method  to  fraudulent  abuse?  Why? 
Punched  plastic  access  card  


Access  card  with  magnetic  striping 


Magnetically  encoded  access  card 


Keylock 


Use  of  a  code  in  conjunction  with  another  method 


Use  of  a  code  by  itself 
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CATALOG  NO.  EE 


3 


C.       CARD  CONTROL 

7.        With  respect  to  card  creation: 
Who  does  it?  

Where  is  it  done? 


When  is  it  done? 


8.        Do  you  issue  tennporary  access  cards? 
(   )YES        (    )N0  ' 

if  yes,  would  you  describe  your  procedure  for  issuing  and  controlling  them? 


If  no,  why  not? 
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CATALOG  NO.  lYIAIBIt 


9a.      What  are  your  customers'  responsibilities  with  respect  to  issuing  and  controlling 
access  cards? 


9b.      What  are  your  customers'  liabilities  and  obligations  in  the  event  that  access 
cards  are  used  improperly? 


Oa.     When  the  card(s)  is/are  being  used  to  gain  access  to  the  terminal  or  the  load 
rack,  does  your  system: 


Ver 
Ver 
Ver 
Ver 
Ver 


f  y  the  carrier  ID. 
fy  the  driver  ID. 
f  y  the  vehicle  ID. 
f  y  the  customer  ID 

f  y  any  other  ID  or  procedure.  (Describe) 


Ob.     What,  specifically,  does  the  system  perform  to  check  the  authenticity  of  the 
card  being  used  (i.e.,  it  is  not  a  counterfeit)? 
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CATALOG  NO.  KIE 


lOc.     After  the  identification  has  been  verified,  are  additional  tests  performed 
by  the  system  to  verify  that  the  access  is  authorized  with  respect  to: 

(  )  The  time  of  day  or  day  of  the  week. 

(  )  The  volume  of  product  dispensed. 

(  )  The  type  of  product  dispensed. 

(  )  The  customer's  pre-arranged  allocation  limit. 


Observations 


II.  In  the  event  that  the  automation  system  is  bypassed: 
a.        Why  would  it  be  necessary  to  do  so? 


b.        Who  is  authorized  to  activate  the  system  bypass? 
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CATALOG  NO.IYIAIBITI  I  !  I 


12.      In  the  event  that  the  active  (enabling/disabling)  portion  of  the  system  fails, 
can  the  system  continue  to  monitor  activity  at  the  terminal? 

(   )  YES        (    )  NO 


Observations: 


13.      What  is  the  extent  of  the  terminal  operator's  liability  if  the  system  bypass 
is  activated? 


I 

'* 

14.      Which  of  these  features  are  incorporated  in  your  system  and  are  reviewed  ^ 
regularly  to  detect  a  breach  of  security?  j 

i 

(  )  Product  withdrawal  measurement  reports.  | 
(    )     Bills  of  lading. 

(  )  Audit  trail.  | 
(  )  Activity  summary  reports.  | 
(  )  Delivery  verification.  ' 
(    )      System  log  review. 

(  Product  receipt  measurement  reports  (return  credits).  . 
(    )      Other  \ 


  1 

i 
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CATALOG  NQ.IYIAIBITI  i  I  ! 


15.      What  specific  contractual  .responsibility  does  the  customer  have  to  insure 
that  his  method  of  access  is  not  used  fraudulently? 


16.      If  the  access  method(s)  is/are  used  in  unauthorized  fashion,  what  is  the  extent 
of  the  customer's  liability? 


III.      BREACH  OF  SYSTEM  SECURITY 

17.       Have  you  experienced  actual  or  attempted  theft  of  product  from  your  automated 
bulk  terminals? 
(   )  YES        (    )  NO 

If  yes,  were  there  any  characteristics  that  suggested  a  pattern  of  any  sort 
(geographic,  time  of  day  or  day  of  week,  type  of  customer,  inside  jobs,  etc.)? 
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CATALOG  NO.  lYlAlFi  if 


18.      Have  you  heard  of  any  actual  or  attempted  theft  of  product  from  any  automated 
bulk  terminals? 
(    )YES        (  )N0 


If  yes,  were  there  any  characteristics  that  suggested  a  pattern  of  any  sort 
(geographic,  time  of  day  or  day  of  week,  type  of  customer,  inside  jobs,  etc.)? 


19.      In  future  installations,  what  specific  actions  do  you  contemplate  taking  to 
increase  the  level  of  security  against  fraud? 


USERS  ONLY 


20.      What  advice  would  you  offer  to  vendors  of  products  related  to  the  automation 
of  bulk  terminals?  - 
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